DEV544: Secure Coding in .NET: Developing Defensible Applications

This is a must-have for all applications and must-know for all developers. I recommend it to my colleagues.Praveen Palety, Western Union Business Solutions

DEV544 does a terrific job at discussing security in .NET, a fairly elusive part of .NET programming.Craig Allyn Moore, Oncology Nursing Society

ASP.NET and the .NET framework have provided web developers with tools that allow them an unprecedented degree of flexibility and productivity. However, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET 2.0, Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the responsibility is still on application developers to understand the limitations of the framework and ensure that their own code is secure.

Have you ever wondered if the built-in ASP.NET validation is effective? Have you been concerned that Windows Communication Foundation (WCF) services might be introducing unexamined security issues into your application? Should you feel uneasy relying solely on the security controls built into the ASP.NET framework?

DEV544: Secure Coding in .NET: Developing Defensible Applications will help students leverage built-in and custom defensive technologies to integrate security into their applications. This comprehensive course covers a huge set of skills and knowledge. It is not a high-level theory course. It is about real programming. Students examine actual code, work with real tools, build applications, and gain confidence in the resources they need to improve the security of .NET applications.

Rather than teaching students to use a set of tools, the course teaches students concepts of secure programming . This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for flaws found on the OWASP Top 10 and CWE/SANS Top 25 Most Dangerous Programming Errors.

The class culminates with a security review of a real-world open source application. Students will conduct a code review, review a penetration test report, perform security testing to actually exploit real vulnerabilities, and finally, using the secure coding techniques that they have learned in class, implement fixes for these issues.

PCI Compliance

Section 6.5 of the Payment Card Industry (PCI) Data Security Standard (DSS) instructs auditors to verify processes that require training in secure coding techniques for developers. This is the course for you if your application processes cardholder data and you are required to meet PCI compliance.

You Will Learn To:

Understand attackers' methodologies and how they will attack your web application.

Overview

Improper data validation is the root cause of the most prevalent web application vulnerabilities today. On the first day of this course, students will examine some of the most prevalent web application vulnerabilities, such as XSS, SQL Injection, Open Redirects and Parameter Manipulation. You will learn how to find these issues and how to re-create them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your C# code.

The course is full of hands-on exercises where you can apply practical data validation techniques to prevent common attacks with defense, including input validation, output encoding and the use of new techniques like Content Security Policy.

Overview

A secure architecture is vital for mission-critical .NET applications. This course day examines various built-in .NET security features such as cryptography, password storage, web service security, and many other .NET features you should consider while writing secure code. A number of hand-on exercises will guide you through writing a cryptography utility for storing sensitive data and user passwords, protecting data in memory, exploiting a running application using DLL Injection and much more.

Overview

Understanding how to leverage .NET to design a secure architecture with solid secure coding principals is critical to application security. This course day combines tried and tested information security principals with secure coding principals to help you build rock-solid applications.

Overview

This session looks at each phase of the secure software development lifecycle (SDLC) and discusses how security fits into the process. Using what they have learned about web application vulnerabilities, students will review code from an open-source application to identify various vulnerabilities. Then you will perform security testing and actually exploit these weaknesses. Once these weaknesses have been exploited, you will fix them using the security coding techniques learned during the course.

!!IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE INSTRUCTIONS!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Please download and install VMware Workstation, VMware Fusion, or VMware Player on your system prior to the start of the class. If you own a licensed copy of VMware, make sure it is at least VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

VMware Player is a free download that does not require a commercial license.

Mandatory Laptop Requirements

Mandatory Host Hardware Requirements

Central Processing Unit (CPU): 2.0+ GHz processor or higher

Memory: 4 GB of RAM minimum

Hard disk: 40 GB of free disk space

Working USB 2.0 or higher port

Students should have the capability to have Local Administrator Access within their host operating system

Mandatory Host Operating System Requirements

You must bring a laptop with one of the operating systems listed below. These operating systems have been verified to be compatible with the course VMware image:

Windows 8

Windows 7

Mac OS X (Lion, Mountain Lion, Yosemite)

Mandatory Software Requirements

Please ensure the following software is installed on the host operating system prior to the course:

Developers who need to be trained in secure coding techniques to meet PCI compliance

While this course is focused specifically on software development, it is accessible enough for anyone who is comfortable working with code and who has an interest in understanding the developer's perspective. This includes:

Application security auditors

Technical project managers

Senior software QA specialists

Penetration testers who want a deeper understanding of how to target ASP.NET web applications or who want to provide more detailed vulnerability remediation options

"This course illustrated just how easy it is to write exploitable code and how to prevent the attacks." - Brian Scoggins, TransCard, LLC

"I do development on a daily basis. This information is extremely valuable! I discovered several areas of my applications that have areas where security can be improved." - SANS DEV544 Attendee, Meijer

"This class should be required for anyone in the field of software development." - SANS DEV544 Attendee, Meijer

Author Statement

Developers are always up against rigid deadlines, sparse and changing requirements, and constant production support issues. This leaves little time for keeping up with current threats and defenses, and inevitably makes security an afterthought. Bolting security on at the end of the development phase leaves applications vulnerable, and requires significantly more effort than if the applications were architected with security in mind from the beginning. CWE defines approximately 658 software weaknesses that can be introduced at different points in the software development lifecycle. An attacker only needs to expose one of these, while developers feel pressure to defend against them all. The goal of this course is not to teach developers how to write 100% secure code, but instead to help developers change their mindset to developing defensible code from the early stages of the software development lifecycle. This will allow applications to withstand an attack and provide feedback when under attack, enabling organizations to adjust and adapt to the changing threat landscape.

This course covers common attacks - including applicable topics from the CWE/SANS Top 25 Most Dangerous Programming Errors, the OWASP Top 10 and deficiencies in the .NET framework - while also providing solid defensive techniques. It will change the way developers approach the design and implementation of software. Take part in this exciting class and arm yourself with the knowledge to protect your .NET applications. - Eric Johnson

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.